From: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Date: Tue, 21 Feb 2017 09:24:25 +0000 (+0100)
Subject: install release keys in a saner way
X-Git-Url: https://git.proxmox.com/?p=pve-kernel-jessie.git;a=commitdiff_plain;h=9eeead76333efe9ff40d3911a4ca9abe50aef54c

install release keys in a saner way

apt actually expects single exported keys in the trusted
directory, not keyrings. recent gpg2 versions (like that in
Debian Stretch) switch to a different default keyring format
which apt does not handle at all, so the old hack will break
soon.

by changing the key format in this repository from armored
exported public key to binary exported public key, which
both apt in Debian Jessie and apt in Debian Stretch
understand, we can just install those two files directly
in the trusted dir.

bonus: the package content does not change based on gpg
version or configuration anymore.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
CC: dietmar@proxmox.com
CC: w.bumiller@proxmox.com
---

diff --git a/Makefile b/Makefile
index ed7e307..e7edb76 100644
--- a/Makefile
+++ b/Makefile
@@ -90,10 +90,6 @@ LINUX_TOOLS_DEB=${LINUX_TOOLS_PKG}_${KERNEL_VER}-${PKGREL}_amd64.deb
 
 DEBS=${DST_DEB} ${HDR_DEB} ${FW_DEB} ${PVE_DEB} ${VIRTUAL_HDR_DEB} ${LINUX_TOOLS_DEB}
 
-PVE_RELEASE_KEYS= 				\
-	proxmox-ve/proxmox-release-4.x.pubkey	\
-	proxmox-ve/proxmox-release-5.x.pubkey
-
 all: check_gcc ${DEBS}
 
 ${PVE_DEB} pve: proxmox-ve/control proxmox-ve/postinst ${PVE_RELEASE_KEYS}
@@ -101,7 +97,8 @@ ${PVE_DEB} pve: proxmox-ve/control proxmox-ve/postinst ${PVE_RELEASE_KEYS}
 	mkdir -p proxmox-ve/data/DEBIAN
 	mkdir -p proxmox-ve/data/usr/share/doc/${PVEPKG}/
 	mkdir -p proxmox-ve/data/etc/apt/trusted.gpg.d
-	gpg2 --no-default-keyring --keyring ./proxmox-ve/data/etc/apt/trusted.gpg.d/proxmox-ve.gpg --import ${PVE_RELEASE_KEYS}
+	install -m 0644 proxmox-ve/proxmox-release-4.x.pubkey proxmox-ve/data/etc/apt/trusted.gpg.d/proxmox-ve-release-4.x.gpg
+	install -m 0644 proxmox-ve/proxmox-release-5.x.pubkey proxmox-ve/data/etc/apt/trusted.gpg.d/proxmox-ve-release-5.x.gpg
 	sed -e 's/@KVNAME@/${KVNAME}/' -e 's/@KERNEL_VER@/${KERNEL_VER}/' -e 's/@RELEASE@/${RELEASE}/' -e 's/@PKGREL@/${PKGREL}/' <proxmox-ve/control >proxmox-ve/data/DEBIAN/control
 	sed -e 's/@KVNAME@/${KVNAME}/' <proxmox-ve/postinst >proxmox-ve/data/DEBIAN/postinst
 	chmod 0755 proxmox-ve/data/DEBIAN/postinst
diff --git a/proxmox-ve/postinst b/proxmox-ve/postinst
index baf3d29..88cd778 100755
--- a/proxmox-ve/postinst
+++ b/proxmox-ve/postinst
@@ -19,6 +19,9 @@ case "$1" in
     # cleanup - remove Proxmox Release Key key from /etc/apt/trusted.gpg
     /usr/bin/apt-key --keyring /etc/apt/trusted.gpg del 9887F95A >/dev/null 2>&1 || /bin/true
 
+    # cleanup - remove old stretch-incompatible variant of installing release key
+    rm -f /etc/apt/trusted.gpg.d/proxmox-ve.gpg /etc/apt/trusted.gpg.d/proxmox-ve.gpg~
+
     # setup kernel links for installation CD (rescue boot)
     mkdir -p /boot/pve
     ln -sf /boot/vmlinuz-@KVNAME@ /boot/pve/vmlinuz
diff --git a/proxmox-ve/proxmox-release-4.x.pubkey b/proxmox-ve/proxmox-release-4.x.pubkey
index 816a8b8..40416a6 100644
Binary files a/proxmox-ve/proxmox-release-4.x.pubkey and b/proxmox-ve/proxmox-release-4.x.pubkey differ
diff --git a/proxmox-ve/proxmox-release-5.x.pubkey b/proxmox-ve/proxmox-release-5.x.pubkey
index e7002c9..8488f45 100644
Binary files a/proxmox-ve/proxmox-release-5.x.pubkey and b/proxmox-ve/proxmox-release-5.x.pubkey differ